从azure活动目录中检索JWT的最简单方法是什么。我想在本地执行一些休息调用,需要这个令牌。
我正在经历https://msdn.microsoft.com/en-us/library/azure/dn790557.aspx,我需要知道的是有一种获取令牌的方法,而无需创建AAD应用程序或服务主体。
答案 0 :(得分:0)
您可以直接使用ADAL和Azure帐户,而不是AAD应用程序和服务主体。
以下是一段PowerShell代码,可用于从AAD获取访问令牌。
###################################################################################
# #
# This is a sample PowerShell script which can use the Azure Rest API. #
# The sample is using the ADAL inside Azure SDK for .NET, so before you can #
# use this sample, you need to install the latest Azure SDK. #
# #
# This sample require a user interaction to login with an Azure account. you #
# can use Organization ID or Live ID as long as you have the right permission. #
# In the sample, auto prompt behaviour is being used, so within one PowerShell #
# session, you only need to login once. #
# #
###################################################################################
# Loading the ADAL to the PowerShell session. This path here is the default path for the latest Azure SDK.
# If you are installing this somewhere else, you should change the path.
Add-Type -Path 'C:\Program Files\Microsoft Azure Active Directory Connect\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'
# your subscription ID
$subscriptionID = <subscription id>
# The tenant ID of your subscription
$tenantID = "<tenant ID>"
# The login Endpoint of your Azure Environment. The endpoint here is for global Azure.
$loginEndpoint = "https://login.windows.net/"
# This is the default redirect URI and the default client ID. You don't need to change this.
# They are hardcoded. Of course, you can also use your only AD Application.
# However, you need to have the permission setup correctly.
$redirectURI = New-Object System.Uri ("urn:ietf:wg:oauth:2.0:oob")
$clientID = "1950a258-227b-4e31-a9cf-717495945fc2"
# The Azure account you want to use.
# you need to have the permission to access the Azure Resources.
$userName = <Azure AD user with the right permission>
# the Azure management endpoint. This is for global Azure.
# For Resource Manager model, you can also use https://management.azure.com/.
$resource = "https://management.core.windows.net/"
# Constructing the authorization String.
$authString = $loginEndpoint + $tenantID
# Creating the Authentication Context
$authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext ($authString, $false)
# Setting the prompt behaviour to be auto, so that you don't need to login every time you run this sample.
$promptBehaviour = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto
# Acquiring Token.
$userIdentifierType = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifierType]::RequiredDisplayableId
$userIdentifier = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier ($userName, $userIdentifierType)
$authenticationResult = $authenticationContext.AcquireToken($resource, $clientID, $redirectURI, $promptBehaviour, $userIdentifier);
如您所见,此PowerShell脚本是从C#代码转换而来的。如果您使用的是PowerShell或C#以外的其他内容。您可能需要查看相应的ADAL以获取特定的编程语言。